Our top risks for financial services firms in 2024 - complete analysis

Our top risks for financial services firms in 2024 – complete analysis

Thu 04 Apr 2024

We have identified and ranked the key risks for financial services business leaders in 2024 based on market research, regulatory insights as well as our assessment of the current difficulties facing firms. We also highlight the changes in risk rankings compared to last year, justified by global events and new regulations that have surfaced in the past year.

Key takeaways

As the adverse effects of the pandemic slowly fade, 2023 has seen further geopolitical tensions, large advances in generative artificial intelligence (AI) technology and devastating climate-related events around the globe.  Alongside cybersecurity and operational resilience, these risks comprise the top five that firms should focus on in 2024.

Our top risk of 2024 concerns information and cybersecurity. Firms may struggle to manage the evolving cyber security threats faced in today’s digital economy but also consider the ongoing geopolitical challenges. Therefore, cyber risks should remain a key focus for this year. Additionally, as firms continue to digitise their operations and services, AI has become a greater concern for business leaders, which is why AI also sits within our top five risks.

Russia’s invasion of Ukraine continues to put upward pressure on energy prices, and the Israel-Palestine conflict has the potential to destabilise the Middle East, causing further increases in commodity prices and challenges for supply chains. On top of this, national elections are scheduled in 64 countries (including the US, India, the EU, and Russia) in 2024 which represents half the world’s population. All of which heightens geopolitical uncertainties.

Climate and sustainability continue to be a key priority this year, for which we can also observe an acceleration in focus by the regulators and supervisors. Financial services firms need to understand how the effects of climate change and biodiversity loss can impact their loan portfolios (i.e., potential losses and cost of risk), lending strategies and how transition risk may leave them exposed in the coming years.

Operational resilience is a pressing issue for 2024. With the upcoming regulatory deadline fast approaching (March of 2025), firms must ensure they have prepared their risk frameworks accordingly and have the correct measures to mitigate this risk. 

The issues firms face today are highly complex and interconnected, with some of the risks mentioned above having the potential to occur simultaneously and aggravate each other. For example, the Single Resolution Board (SRB) states that discussions have taken place at a strategic level around “Russia’s invasion of Ukraine, which has led to high uncertainty and a perceptible increase in financial stability risk in the EU, also in connection with cyber incidents”[1], outlining the interconnectivity of these pressing issues.

It is therefore essential for firms to have effective risk management practices in place to keep abreast of new risks and manage new, emerging, and existing risks during both normal and stressful circumstances.

Top risks 2023 vs 2024 [2]

Risks2024 ranking2023 rankingChange
Top 5 risks   
Information and cybersecurity risk15
Geopolitical risk22
Climate and sustainability risk34
Artificial intelligence and machine learning risk4
Operational resilience56
Other important risks  
Regulatory and supervisory risk3 
Macroeconomic environment risk 
Model risk8 
Outsourcing and third-party risk7 
Governance and risk culture 

1.    Information and cybersecurity risk

This concerns protecting the confidentiality, integrity and availability of information and relates to the risk of loss resulting from cyber-attacks or data breaches on the organisation.

In today’s digital world, financial services firms are incredibly dependent on IT systems to perform tasks and deliver services. While these new technologies and advancements bring benefits, they also pose many risks including the spread of misinformation and the increased potential for cyber-related incidents. Trends indicate that the threat of cyber-attacks is only growing and illustrate how these attacks are becoming increasingly sophisticated. Cybersecurity is also threatened by the development of generative AI programs, which adds another layer of complexity and risk that firms must consider.

Not only has the likelihood of an attack increased, the global average cost of a data breach in 2023 was $4.45 million[3], which represents a 15% increase over the last 3 years.

So, firms need to ensure that they have the latest protections, and, in the event of a breach/cyber-attack, advanced recovery solutions need to be in place. This includes methods to rebuild systems that underpin critical activities if exposed to corruption by hackers. Firms are beginning to assume that a major hack will occur. This mindset can help to accelerate investment by businesses.

As a result of increased cyber threats, the European Central Bank (ECB) has announced a cyber resilience stress test on 109 directly supervised banks in 2024. The test will assess how banks respond to and recover from a cyberattack. Additionally, firms should prepare for the introduction of the Digital Operational Resilience Act (DORA), which will apply as of January 2025[4]. DORA will impact 20 different types of financial entities and covers areas including Information and Communication Technology (ICT) risk management, digital operational resilience testing and ICT-related incidents.

In the UK the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) are concerned about the potential concentration of third-party services by a small number of providers to regulated firms to support their operations; an example of such services is cloud computing services. Their concern is that such concentrations are potential single points of failure. This could heighten financial stability risks if there was say a cyber-attack at one cloud provider that led to widespread disruption at several firms. The PRA and FCA are jointly consulting on new statutory powers that will enable them to intervene to raise the resilience of the services that so-called critical third parties provide[5].

2.    Geopolitical risk

This relates to the wide array of risks associated with geopolitics, conflicts or tensions between states, and the impacts on businesses, trade, security, and political relations.

Whilst the effects of the COVID pandemic have faded, geopolitical tensions have grown in Europe and the Middle East. Russia continues its war in Ukraine, and although Europe attempts to use alternative sources of oil, energy prices continue to rise with predictions that household energy expenditure will increase further in 2024[6]. Moreover, instability in the Middle East due to the Israel-Palestine conflict puts additional upward pressure on oil prices[7]. Economies have struggled to keep pace this year, as evidenced by Germany announcing dramatically lower growth forecasts for 2024 and the UK slipping into a recession. Furthermore, increasing clashes between global superpowers have the potential to result in economic policies being used defensively to build self-sufficiency and sovereignty from rival powers. These tensions are emphasised by the looming elections taking place in the US, India, and the EU later this year which adds to the political uncertainty.

Businesses are struggling to keep up with the rapidly changing landscape of interconnected risks that are caused by increasing geopolitical tension. These risks include supply chain disruptions, shifts in consumer behaviour, financial liquidity, and solvency. Firms must ensure they have effective horizon-scanning processes in place that enable them to monitor and assess emerging geopolitical risks more rapidly and be able to adapt to them. At a strategic level, firms should ensure that these risks are appropriately considered and monitored within their risk management and risk appetite frameworks.

3.    Climate and sustainability risk

This refers to the potential negative impacts of climate change on the environment, society, and the economy. Sustainability risk refers to the financial loss due to environmental, social and governance (ESG) factors.

2023 has borne witness to multiple extreme weather events that have led to devastating loss of life, habitats, and property leading to increased social and financial strain[8]. The World Economic Forum estimates that over half of the world’s GDP[9] ($44 trillion of economic value) is at moderate or severe risk due to nature loss. This is particularly important for large sectors such as agriculture, food and construction which are heavily dependent on nature for future resilience. Due to the impact of climatic changes on businesses and societal attitudes towards the environment, climate and sustainability risk remains a high priority for organisations.

Financial services regulators now have climate as one of their key risks. This is evident from the swathe of climate risk regulations that are being introduced or due to come on stream in the next couple of years.

In 2023, Europe’s Corporate Sustainability Reporting Directive (CSRD) came into force which strengthens mandatory sustainability reporting requirements[10]. Outside the EU, the International Sustainability Standards Board (ISSB) has published two Sustainability Disclosure Standards – IFRS S1 and IFRS S2. These standards lay out baselines for sustainability disclosures to address users’ needs for high-quality and comparable sustainability information.

Firms must ensure they are prepared to meet the expectations outlined in these regulations by embedding climate risk considerations into their risk management programmes in a proportionate manner and developing appropriate modelling capabilities to quantify the impact of climate change on their balance sheets and financial performance.

Looking at the ECB’s priorities for 2024-2026, one of which is to “accelerate the effective remediation of the persisting shortcomings in governance and risks management of climate-related and environmental risks”[11]. It is essential firms implement sound climate and sustainability policies to mitigate the ever-increasing risk they are exposed to from climate change, but also to ensure compliance with regulation. By the end of 2024, the ECB expects Banks it currently supervises to have implemented all the expectations defined in its 2020 Guide on climate-related and environmental risks[12].

4.    Artificial intelligence (AI) and machine learning (ML) risk

This relates to the potential issues arising from the use of AI and ML in businesses and decision-making and includes risks around ethical and customer outcomes, algorithmic bias, data privacy and safety concerns and outsourcing complexities.

AI is already becoming part of our daily lives and whilst these advancements introduce many opportunities for firms such as the ability to make quicker and better-informed decisions, there are also important ethical questions, security risks, and business strategy implications that must be appropriately understood and managed. 2023 saw steep leaps in generative AI capabilities, specifically with the proficiency of GPT 3 and GPT4 increasing faster than initially expected[13]. Firms should ensure they assess the impacts of AI, how this may affect their business models and strategies and consider the impact of regulation on their adoption journey. Risk mitigation will entail the investment in and development of robust model risk management policies and processes, information security management systems and controls to match the increased risk.

5.    Operational resilience

This relates to a firm’s ability to prevent, adapt, respond, and recover from operational disruptions. 

Recent years have shown the importance of implementing sound operational resilience policies to mitigate the effects of a disruption. To manage the risk of disruption, banks should leverage their operational risk management functions to identify internal and external threats and potential failures in people, processes, and systems on an ongoing basis. They should promptly assess the vulnerabilities of critical operations and manage the resulting risk per their operational resilience approach.

In addition to this, firms must ensure they are on track to meet the upcoming regulatory implementation deadline in 2025[14], whereby UK regulators will expect firms’ operational resilience framework to have been tested and be fit for purpose in terms of identifying, assessing, and monitoring the vulnerabilities of their critical functions. Furthermore, the announcement of a cyber resilience stress test by the ECB in 2024 and the introduction of DORA in 2025 exacerbates the need for firms to implement sound risk management practices.  Operational disruption risk is closely linked with other risks in our top ten, cyber security, and outsourcing & third-party risk. The recent regulatory focus on solvent wind-down for smaller banks, outlined in the updates to the Special Resolution Regime, highlights the importance for firms to prepare for threats on an ongoing basis.

Other important risks

Regulatory and supervisory risk

The risk is that firms are unable to keep up with regulatory changes or are ineffective at implementing those changes which can result in deteriorating internal standards or non-compliance.

2024 will see a host of new regulations coming into force[15] in the UK, including the Strong & Simple regime, updates to the Basel 3.1 framework and the implementation of Sustainability fund labels. Beyond the UK, firms should prepare for the introduction of EU regulations that may impact UK entities such as DORA in 2025.

Another regulatory area firms should focus on is financial crime and Anti-Money Laundering (AML). Changes in UK legislation (which came into force on 25th October 2023) have increased the requirements on organisations to identify and mitigate the risk of fraud committed for their benefit. This included significant changes to the criminal charges organisations can face for failing to prevent fraud[16].  

Firms must ensure they have appropriate horizon scanning and regulatory management processes in place to ensure they adhere to the ever-evolving regulatory requirements and look to avoid any fines and reputational damage from non-compliance.

Macroeconomic environment risk

This is the risk that economic conditions negatively impact consumers, businesses, and financial services firms.

The key economic risk for 2024 is an unexpected rebound in global inflation. Presently, markets and corporations are pricing in a series of rate cuts by central banks. The risk comes from the supply side (goods). Spikes in energy or food prices could usher in a new wave of inflation, forcing central banks to maintain rates higher for longer, or even hiking rates instead of cutting them[17].

A second year of high-interest rates could cause a sharper economic slowdown and higher unemployment. Areas of the market that have so far managed to remain unscathed could experience dislocation, deepening an economic downturn. On top of that, a third year of high inflation could fundamentally change the way people consume and lead businesses to delay much-need capital investment. The world experienced such a fundamental shift in consumer behaviour at the end of the 1970s.

The sharp rise in interest rates created banking wobbles in Spring 2023. Now financial services firms must navigate the possibility of a higher longer interest rate environment that will exert increasing pressure on consumer and business debt sustainability; this in turn puts pressure on financial services firms’ balance sheets and profitability. This could be the precursor to a wave of firm consolidation.

Firms must ensure that they are testing their and their customers’ resilience to this interest rate/inflation environment (compared to the ultra-low interest, liquidity-rich setting of the past 15 years) and what it means for their business model viability were these conditions to persist for some time.

Model risk

This is the potential adverse consequence of model errors or the inappropriate use of modelled outputs to inform business decisions.

Firms increasingly rely on models to collect data, predict trends, manage risks, and make decisions at both operational and strategic levels. This increased dependence on modelling means the risk of errors arising from suboptimal models and poor-decision making has increased. With models becoming integral to the day-to-day operation of firms, firms must employ robust measures to ensure the models are producing reliable outputs. The rapid developments and adoption of AI and ML technologies add a layer of complexity to these risks. 2023 has seen great regulatory focus on model risk particularly with the PRA’s publication of ‘Five Principles’ for Model Risk Management[18]. Now firms must ensure they have adequate and proportionate processes in place for model identification, classification, governance, development, implementation, and validation.

In the EU, the ECB recently published its final revised guide to internal models[19], in which the supervisor provides its expectations based on the recent developments in EU regulations and the learnings from inspections at banks. For example, banks must now consider material climate-related and environmental risk drivers in their internal models when calculating their own funds requirements.

Outsourcing and third-party risk

Refers to the risks that arise from contracting with a third party and in particular the risk that a service/product/activity provided by a supplier will deteriorate, be interrupted, or cease indefinitely, exposing businesses to operational, reputational and/or financial damage.

Now more than ever, firms are using outsourced providers and third parties to support operational functions and deliver services to customers. This exposes firms and in extreme cases the wider financial system to great risk. Firms need to ensure they have identified and managed risks across the lifecycle of a relationship or service, whilst considering operational resilience requirements. Firms must do so by complying with the regulators’ requirements outlined in supervisory statement 2/21[20], which came into force in March of 2022, in the UK. The requirements involve identifying and assessing the materiality and risks of all outsourcing and third-party arrangements as well as applying appropriate and proportionate governance and controls.

Governance and risk culture

Governance concerns how firms are organised and the efficacy of their management bodies in conducting business and managing risk. Risk culture reflects the shared goals and practices that embed risk into a business’ decision-making process and risk management into its operating process. It incorporates the values, behaviours and understanding that makeup how individuals and groups interact with and act on risk

Risk culture together with businesses’ governance processes underpins a strong risk management framework. Without these mechanisms, organisations do not have the necessary checks and balances in place to counter excessive risk-taking and ensure that decisions are taken sustainably and prudently. A strong governance framework means that key risk areas such as operational risk, conduct risk, Anti-Money Laundering (AML) and market risk can be managed effectively and reduce the possibility of errors arising.

A common underlying cause for many business failures relates to poor risk and governance arrangements. This was evidenced several times last year with the failures at Silicon Valley Bank, Signature Bank of New York and First Republic Bank, and the rescue of Credit Suisse.[21]

It is no surprise that regulators continue to emphasise the need for firms to take risk management seriously. The PRA has once again highlighted risk management and governance as one its key priorities[22] as has the ECB[23]. Having sound risk management and risk culture practices in place is conducive to the effective monitoring and management of the risks listed in this article.

The risks faced by financial services firms are highly complex, often related and constantly evolving which presents difficult challenges for executives to oversee and solve. Firms must have strong governance procedures so they can embed effective risk management practices. These practices should enable firms to have independent risk management functions that identify and track (emerging) risk trends and ensure these risks are covered in key decision-making committees and strategic actions. Prioritising and investing in risk management to ensure it is understood and embedded throughout the organisation will go some way towards successfully achieving business objectives and mitigating impacts from new risks.

[1] SRB Annual Report 2022; [2] Please note that we have adopted a methodological change between our approach in 2023 and 2024. This year we have ranked the top 5 risks. The next 5 risks have been grouped as “other important risks”, but not ranked. In 2023 we ranked the top 10 risks. IT Disruption was ranked as the number 1 risk in our 2023 article, it does not directly appear in our top 10 risks for 2024 as it has been considered an outcome of risks such as Operational Resilience’ and ‘Information & Security’ and not a risk per se.; [3] Cost of a Data Breach Report 2023 – IBM; [4] EIPOA; [5] PRA and FCA CP on Critical Third Parties; [6] Will Energy Prices Fall in 2024?; [7] How the War in Israel and Gaza is Shaking Financial Markets – Forbes; [8] 10 Global Weather and Climate Change Events; [9] World Economic Forum; [10] Risk in Focus 2024; [11] ECB Banking Supervision: SSM supervisory priorities for 2024-2026; [12] ECB Guide on climate-related and environmental risks; [13] Top Emerging Risks – Gartner; [14] Operational Resilience FCA; [15] Financial Regulation Outlook 2024: Banking; [16] Economic crime and corporate transparency bill 2022; [17] Weekly market update – 6 Key Risks for 2024 – Mazars – United Kingdom; [18] PS6/23 Model Risk Management Principles for Banks; [19] ECB Guide to Internal Models; [20] Outsourcing and Third-Party Risk Management; [21] Lessons from the Spring 2023 banking turmoil; [22] UK Deposit Takers Supervision: 2024 priorities; [23] ECB Banking Supervision: SSM supervisory priorities for 2024-2026